Don't Burn Your Android Yet

A few days ago, security firm Perception Point released the details of a
zero-day exploit in the Linux kernel, which has sparked a wave of panic as
the report indicated that millions of Android devices are vulnerable.

Although patching security problems is quite easy on most Linux distros, it's
a lot harder for Android users. PC users and server admins usually
can update their systems with a few terminal commands or through a GUI software
store.

The update process is different for Android devices. Android users have to
wait for over-the-air updates from the manufacturer.

However, Google's Android security lead Adrian Ludwig claims that the
majority of Android devices are actually safe. Android 4.4 and earlier use
older versions of the kernel that never contained the bug. And even after
the bug was introduced into the kernel, most versions of Android don't
include the keyrings feature in the kernel.
Finally, more recent versions of Android use SELinux, which blocks
userspace programs from deploying a payload that can be executed using the
exploit.

The "keyrings" exploit takes advantage of a bug inside the keyrings
feature. In an ironic twist, keyrings is supposed to make Linux more
secure. It's used to cache security details, keys and certificates.

Although you would expect a keyrings exploit to expose passwords and
logins,
it's actually a lot less direct. A small bug makes it possible to use the
feature to force the kernel to execute arbitrary code. The malicious
payload gains full root privileges, putting the entire system at risk.

In short, a malicious process requests a new keyring for the session, and
then it spams the kernel with requests for a keyring with an identical name.
The code in the kernel recognizes that the keyring already exists and
sends an error code.

The bug is that the internal "reference count" for the keyring is increased
each time a request is sent. This reference count is used by the kernel to
keep track of how many programs are using the keyring. When all
applications have finished with the keyring, the kernel is free to delete
it.

Each extra request increases the reference count by one.
By sending billions of spurious requests, the malicious code can force the
reference count to overflow to zero. At that point, from the kernel's
point of view, the key is released and can be erased.

After tricking the kernel, the malicious process overwrites the freed
memory with a sinister payload. One way it can achieve this is through the
inter-process communication feature (IPC).

Because the malicious code has a reference to the keyring in memory, it
can force the kernel to treat it as a normal keyring. Certain system
calls get the kernel to execute code from a keyring object, but the
actual code stored in memory isn't a keyring object anymore. And so
the malicious process is able to trick the kernel to run the payload
with root-level privileges.

This is pretty scary stuff. Fortunately, Perception Point informed the
Linux kernel team before announcing the news to the rest of the world.
Patches are available and can be installed through the normal channels.

The initial reports that 66% of Android devices are vulnerable were an
overstatement, but
some devices are affected. The Android team is
working on a fix, but it won't be available until March 1, 2016.